Best encrypt Algorithm to use

Report · Mar 31, 2009

We have a e-commerce store that needs to store credit card numbers for a few of its customers. I know that the best solution is to not store the numbers at all and this is our default option, however there are few stores that need this information for shipping, etc. We are using the encrypt function in cf8 and were wondering which algorithm would be best for this case.

Report · Apr 01, 2009

Alternative to storing CCs is to do reference transactions if your payment gateway supports these types of transactions. This would be where you do a authorization only on the card for a very small amount. If the return is successful, subsequent charges to the credit card can be done just using the authorization and/or transaction #, usually up to the expiration of the CC on the original charge. Alot of vendors, even ones that do subscription based services are moving to this model. And at some point I would say the industry will require this. PayFlowPro supports this.

Other than that I would recommend Triple DES since this would be 2 way encryption, then use some sort of salting to make it a bit harder to decrypt if someone gets the raw data. Something like encrypt CC+secret key, then encrypted value+secret key 2, encrypt+order total. Keep the 2 keys in different locations.

Keep the keys, salting scheme and data in different, minimize the access level to the bare minimum. Also don't keep code and the encrypted data on the same server, and they should if possible be firewalled off from each other with minimum access.

Report · Apr 03, 2009

I would agree with Byron that you really should look for other ways to do this. You should be sure to review the PCI Compliance regulations for storing card data....what is required is very extensive and requires more than most small merchants can afford to do. For instance, you can't just use CF encryption....the encryption key itself needs to be encrypted (key encryption key) and that has to be saved somewhere apart from the web server (typically a separate appliance is used). The security policies that must be in place and the hardware needed to fulfill PCI compliance at this level is quite extensive. Be really careful about doing this kind of thing in terms of protecting your own interests as well, because you don't want to get stuck with a lawsuit when the merchant gets fined by their bank for failing to comply. Should there be a breach and card data stolen, fines can be quite hefty.